ebpf sockops Realization principle

Everyone must be curious about why they passed ebpf sockops We can extract the data we want ？

Normally, there are two ways to implement , The first is the embedding hook function on the critical path ; The second is kprobe Paste insert for .

ebpf sockops It is realized through the first method , The hook function is embedded in the critical path , So it's hard to extend the function , Generally, when upgrading the kernel version, you can plan and bury hook functions in advance .

ebpf sockops Support those functions

ebpf sockops Support those functions ( The key depends on the path where the hook function is buried ), see The following code

enum {
        BPF_SOCK_OPS_VOID,
        BPF_SOCK_OPS_TIMEOUT_INIT,      /* Should return SYN-RTO value to use or
                                         * -1 if default value should be used
                                         */
        BPF_SOCK_OPS_RWND_INIT,         /* Should return initial advertized
                                         * window (in packets) or -1 if default
                                         * value should be used
                                         */
        BPF_SOCK_OPS_TCP_CONNECT_CB,    /* Calls BPF program right before an
                                         * active connection is initialized
                                         */
        BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB,     /* Calls BPF program when an
                                                 * active connection is
                                                 * established
                                                 */
        BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB,    /* Calls BPF program when a
                                                 * passive connection is
                                                 * established
                                                 */
        BPF_SOCK_OPS_NEEDS_ECN,         /* If connection's congestion control
                                         * needs ECN
                                         */
        BPF_SOCK_OPS_BASE_RTT,          /* Get base RTT. The correct value is
                                         * based on the path and may be
                                         * dependent on the congestion control
                                         * algorithm. In general it indicates
                                         * a congestion threshold. RTTs above
                                         * this indicate congestion
                                         */
        BPF_SOCK_OPS_RTO_CB,            /* Called when an RTO has triggered.
                                         * Arg1: value of icsk_retransmits
                                         * Arg2: value of icsk_rto
                                         * Arg3: whether RTO has expired
                                         */
        BPF_SOCK_OPS_RETRANS_CB,        /* Called when skb is retransmitted.
                                         * Arg1: sequence number of 1st byte
                                         * Arg2: # segments
                                         * Arg3: return value of
                                         *       tcp_transmit_skb (0 => success)
                                         */
        BPF_SOCK_OPS_STATE_CB,          /* Called when TCP changes state.
                                         * Arg1: old_state
                                         * Arg2: new_state
                                         */
        BPF_SOCK_OPS_TCP_LISTEN_CB,     /* Called on listen(2), right after
                                         * socket transition to LISTEN state.
                                         */
};

BPF_SOCK_OPS_TIMEOUT_INIT

The literal meaning is already obvious , Namely SYN-RTO Timeout time , Both client and server modes are supported .

BPF_SOCK_OPS_RWND_INIT

The literal meaning is more obvious , Extract the initial RWND, It also supports both client and server modes . Obviously, this function works in the connection establishment phase .

BPF_SOCK_OPS_TCP_CONNECT_CB

In active connection TCP Call at the beginning of startup , stay int tcp_connect(struct sock *sk) Called in function .

Let's talk about it more generally , Is in the TCP The first three handshakes ( send out SYN message ) Called when the .

BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB

A passive connection is a call to , Received SYN When the message is sent, call .

Of course, there is a niche scene , During hot migration TCP Connection call .

BPF_SOCK_OPS_NEEDS_ECN

stay ECN In the mode of , Specifically in ECN Type of TCP Connection phase calls （ send out SYN And receiving SYN）.

BPF_SOCK_OPS_BASE_RTT

Don't worry about this function , Currently available only in tcp_nv The call point is embedded in the congestion control algorithm of .

Of course, you can use it if you want , In my own congestion control algorithm .init The calling point is embedded in the interface .

BPF_SOCK_OPS_RTO_CB

Call after retransmission timeout , But it doesn't have to be called , Because it is not on the main path , It is possible to quit early , You can see the specific code by yourself void tcp_retransmit_timer(struct sock *sk) function .

BPF_SOCK_OPS_RETRANS_CB

Obviously, it is called when the message is retransmitted , The specific code is in __tcp_retransmit_skb Function , If the retransmission rate is counted here , Then you must be able to check the number of hook functions 5 Parameters , The first 5 Parameters describe whether the retransmission is successful .

BPF_SOCK_OPS_STATE_CB

stay TCP Switch when the connection state changes ,TCP The state is as follows ：

enum {
        TCP_ESTABLISHED = 1,
        TCP_SYN_SENT,
        TCP_SYN_RECV,
        TCP_FIN_WAIT1,
        TCP_FIN_WAIT2,
        TCP_TIME_WAIT,
        TCP_CLOSE,
        TCP_CLOSE_WAIT,
        TCP_LAST_ACK,
        TCP_LISTEN,
        TCP_CLOSING,    /* Now a valid state */
        TCP_NEW_SYN_RECV,

        TCP_MAX_STATES  /* Leave at the end! */
};

With this function, you can count TCP Status details of the connection , But it doesn't have any effect on you .

BPF_SOCK_OPS_TCP_LISTEN_CB

stay listen Called on system call .

ebpf sockops Value statement

1. Frankly speaking, at present ebpf sockops The idea is very good , We can see the details inside the protocol stack from the outside

2. Frankly speaking ebpf sockops Compared with chicken ribs ,11 Features ,7 Yes TCP handshake phase , The design is amazing ,TCP The most important thing to connect is TCP Handshake stage ？

3. The most practical in the functional area is BPF_SOCK_OPS_RETRANS_CB function , No details .

4. Potential functions , because BPF_SOCK_OPS_STATE_CB I haven't figured out how to use the function .

What I expect ebpf sockops Not only can we understand TCP Details of the handshake phase , More importantly, let us understand TCP The reason why the performance of the protocol stack is good or bad , And data monitoring capability based on refined operation requirements （ This is the need for an engineering perspective ）.